Hi,
Yes, MIME type registration (and URI registrations) has a huge potential for triggering malicious payload (often leading to arbitrary code execution), through web, PDFs, emails, etc. Any media type or URI scheme registration is a potential attack surface.Security Note: Never set a handler that will blindly execute code or commands from the file being handled. Such behaviour will sooner than later lead to unintended code execution i.e. through a curious user trying to inspect a freshly downloaded file but running it by accident.Keeping opening and executing separate actions helps with people protecting themselves from malware, the default handler is an opener, not a runner. tl;dr of the rest of this: Most open-source programs (whether on accident or on purpose) seem to heed this advice. Some of them don't. Those that don't are quite useful for escaping sandboxes.
I have been scratching that itch for some time and here are some comments and findings.
Some findings: * Argument injection in sensible-browser (CVE-2017-17512) [1] * Argument injection in xdg-open (CVE-2017-18266) [1] * Shell command injection in lilypond (CVE-2017-17523, CVE-2018-10992) [1] * MIME type spoofing in Firefox/Thunderbird [2]* Thunar forwards to other programs when passed a file through CLI (CVE-2021-32563) [2] * PCManFM forwards to other programs when passed a file through CLI (still working) [2] * PCManFM-Qt forwards to other programs when passed a file through CLI (still working) [2]
* Arbitrary file write in Stellarium file association (CVE-2023-28371) [3]* Shell command and Emacs Lisp injection in emacsclient-mail.desktop ( CVE-2023-27985, CVE-2023-27986) [4]
* Arbitrary code execution through kitty-open.desktop file association [5] This type of issue is not uncommon.Some times a malicious behavior can be achieved by chaining several programs:
* In Freedesktop, URI registration is a special MIME registration (x-scheme-handler/foo), if a program A is registered as handler for x-scheme-handler/geo, some program B might decide to call program A to handle files served with the x-scheme-handler/geo MIME type (eg. on the web, in emails). This could have unexpected consequences if this program could trigger arbitrary code execution when called through a file but not through a URI.
* When called with a file as argument, some file browsers will try to open the file using another program. I claim that this might be unsafe and might be exploited to hide malicious payload behind an innocuous media type and program ("it is safe to open this file with my file browser").
Some MIME and URI registration are somewhat cryptic. The semantic of calling the associated program for a given file type or URI scheme is not always clearly documented which makes assessment difficult. For example Chrome register "google-chrome:" URIs. Steam registers "steam:" and "steamlink:", gitg registers "gitg:"
[1] https://www.gabriel.urdhr.fr/2018/05/28/browser-injections/ [2] https://www.gabriel.urdhr.fr/2023/03/07/mime-type-spoofing/[3] https://www.gabriel.urdhr.fr/2023/06/08/arbitrary-file-write-in-stellarium-file-association/ [4] https://www.gabriel.urdhr.fr/2023/06/08/emacsclient-mail-shell-elisp-injections/ [5] https://www.gabriel.urdhr.fr/2023/09/23/code-execution-through-kitty-open/
Regards, Gabriel
OpenPGP_signature.asc
Description: OpenPGP digital signature
